A Hybrid Approach to Privacy-Preserving Federated Learning

Truex, Stacey; Baracaldo, Nathalie; Anwar, Ali; Steinke, Thomas; Ludwig, Heiko; Zhang, Rui; Zhou, Yi

doi:10.48550/arxiv.1812.03224

Cited by 19 publications

(40 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is a limitation of the general Federated Learning protocol and is not exclusive to our approach. Recently, Geyer et al [8] and Truex et al [32] introduced frameworks that preserve client-level differential privacy. However, Melis et al demonstrated that privacy guarantees at the client-level are achieved at the expense of model performance and are only effective when the number of clients participating in the aggregation is significantly large, thousands or more [24].…”

Section: Discussionmentioning

confidence: 99%

Precision-Weighted Federated Learning

Reyes¹,

Jorio²,

Low‐Kam³

et al. 2021

Preprint

View full text Add to dashboard Cite

Federated Learning using the Federated Averaging algorithm has shown great advantages for large-scale applications that rely on collaborative learning, especially when the training data is either unbalanced or inaccessible due to privacy constraints. We hypothesize that Federated Averaging underestimates the full extent of heterogeneity of data when the aggregation is performed. We propose Precision-weighted Federated Learning 1 a novel algorithm that takes into account the second raw moment (uncentered variance) of the stochastic gradient when computing the weighted average of the parameters of independent models trained in a Federated Learning setting. With Precision-weighted Federated Learning, we address the communication and statistical challenges for the training of distributed models with private data and provide an alternate averaging scheme that leverages the heterogeneity of the data when it has a large diversity of features in its composition. Our method was evaluated using three standard image classification datasets (MNIST, Fashion-MNIST, and CIFAR) with two different data partitioning strategies (independent and identically distributed (IID), and non-identical and non-independent (non-IID)) to measure the performance and speed of our method in resource-constrained environments, such as mobile and IoT devices. The experimental results demonstrate that we can obtain a good balance between computational efficiency and convergence rates with Precision-weighted Federated Learning. Our performance evaluations show 9% better predictions with MNIST, 18% with Fashion-MNIST, and 5% with CIFAR-10 in the non-IID setting. Further reliability evaluations ratify the stability in our method by reaching a 99% reliability index with IID partitions and 96% with non-IID partitions. In addition, we obtained a 20𝑥 speedup on Fashion-MNIST with only 10 clients and up to 37𝑥 with 100 clients participating in the aggregation concurrently per communication round. The results indicate that Precision-weighted Federated Learning is an effective and faster alternative approach for aggregating private data, especially in domains where data is highly heterogeneous.

show abstract

Section: Discussionmentioning

confidence: 99%

Precision-Weighted Federated Learning

Reyes¹,

Jorio²,

Low‐Kam³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Existing Works Homomorphic Encryption [81], [82] DP CDP [7], [45] LDP [18], [83], [84], [85], [86], [87], [88] DDP+Cryptography [21], [89], [90] Secure Multiparty Computation [5], [91] While privacy preservation has been extensively studied in the machine learning community, privacy preservation in federated learning can be more challenging due to sporadic access to power and network connectivity, statistical heterogeneity in the data, etc. Existing works in privacypreserving federated learning typically are mostly developed based on previous privacy-preserving techniques, including: (1) homomorphic encryption, such as Paillier [92], Elgamal [93] and Brakerski-Gentry-Vaikuntanathan cryptosystems [94]; (2) Secure Multiparty Computation (SMC), such as garbled circuits [95] and secret sharing [96]; and (3) differential privacy [97], [98].…”

Section: Privacy-preserving Techniquesmentioning

confidence: 99%

“…The notion of DDP reflects the fact that the required level of noise in the target statistic is sourced from multiple participants [115]. Approaches to DDP that implement an overall additive noise mechanism by summing the same mechanism run at each participant (typically with less noise) necessitates mechanisms with stable distributions-to guarantee proper calibration of known end-to-end response distribution-and cryptography for hiding all but the final result from participants [21], [89], [90], [103], [104], [105], [115]. Stable distributions include Gaussian distribution, Binomial distribution [110], etc, i.e., sum of Gaussian random variables still follow a Gaussian distribution, and sum of Binomial random variables still follow a Binomial distribution.…”

Section: Definition 52 (( δ) Local Differential Privacy) a Randomize...mentioning

confidence: 99%

“…However, in DDP, only the sum of the individually released statistics is ( , δ)-differentially private but not the individually released statistic, i.e., r i is sufficient for this level of differential privacy, but individual noise r i alone is not sufficient, thus x i + r i cannot be released directly. Therefore, this necessitates the help of SMC to maintain utility and ensure aggregator obliviousness, as evidenced in [21], [89], [90], [103], [104], [105], [106].…”

Section: Definition 52 (( δ) Local Differential Privacy) a Randomize...mentioning

confidence: 99%

See 1 more Smart Citation

Privacy and Robustness in Federated Learning: Attacks and Defenses

Lyu¹,

Han²,

Ma³

et al. 2020

Preprint

View full text Add to dashboard Cite

As data are increasingly being stored in different silos and societies becoming more aware of data privacy issues, the traditional centralized training of artificial intelligence (AI) models is facing efficiency and privacy challenges. Recently, federated learning (FL) has emerged as an alternative solution and continue to thrive in this new reality. Existing FL protocol design has been shown to be vulnerable to adversaries within or outside of the system, compromising data privacy and system robustness. Besides training powerful global models, it is of paramount importance to design FL systems that have privacy guarantees and are resistant to different types of adversaries. In this paper, we conduct the first comprehensive survey on this topic. Through a concise introduction to the concept of FL, and a unique taxonomy covering: 1) threat models; 2) poisoning attacks and defenses against robustness; 3) inference attacks and defenses against privacy, we provide an accessible review of this important topic. We highlight the intuitions, key techniques as well as fundamental assumptions adopted by various attacks and defenses. Finally, we discuss promising future research directions towards robust and privacy-preserving federated learning.

show abstract

“…Besides, it does not protect data privacy against the aggregator. Treux et al [52] propose a hybrid approach for privacy-preserving federated learning that leverages DP and secure multi-party computation among collaborators. These works, although provably privacy-preserving, are not robust to poisoning attacks and produce models with undesirably poor privacy-utility tradeoffs [27].…”

Section: Related Workmentioning

confidence: 99%

Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer

Chang¹,

Shejwalkar²,

Shokri³

et al. 2019

Preprint

View full text Add to dashboard Cite

Collaborative (federated) learning enables multiple parties to train a global model without sharing their private data, but through repeated sharing of the parameters of their local models. Each party updates its local model using the aggregation of all parties' parameters, before each round of local training.Despite its advantages, this approach has many known privacy and security weaknesses and performance overhead, in addition to being limited only to models with homogeneous architectures. Shared parameters leak a significant amount of information about the local (and supposedly private) datasets. Besides, federated learning is severely vulnerable to poisoning attacks, where some participants can adversarially influence the aggregate parameters. Large models, with high dimensional parameter vectors, are in particular highly susceptible to privacy and security attacks: curse of dimensionality in federated learning. We argue that sharing parameters is the most naive way of information exchange in collaborative learning, as they open all the internal state of the model to inference attacks, and maximize the model's malleability by stealthy poisoning attacks.We propose Cronus, a robust collaborative machine learning framework. The simple yet effective idea behind designing Cronus is to control, unify, and significantly reduce the dimensions of the exchanged information between parties, through robust knowledge transfer between their black-box local models. We evaluate all existing federated learning algorithms against poisoning attacks, and we show that Cronus is the only secure method, due to its tight robustness guarantee. Treating local models as black-box, reduces the information leakage through models, and enables us using existing privacy-preserving algorithms that mitigate the risk of information leakage through the model's output (predictions). Cronus also has a significantly lower sample complexity, compared to federated learning, which does not bind its security to the number of participants. It also allows collaboration between models with heterogeneous architectures.

show abstract

A Hybrid Approach to Privacy-Preserving Federated Learning

Cited by 19 publications

References 33 publications

Precision-Weighted Federated Learning

Precision-Weighted Federated Learning

Privacy and Robustness in Federated Learning: Attacks and Defenses

Cronus: Robust and Heterogeneous Collaborative Learning with Black-Box Knowledge Transfer

Contact Info

Product

Resources

About